Firewall Wizards mailing list archives
Re: firewalls and the incoming traffic problem
From: "Paul D. Robertson" <proberts () clark net>
Date: Sun, 28 Sep 1997 13:31:57 -0400 (EDT)
On Sun, 28 Sep 1997, Marcus J. Ranum wrote:
- Firewalls are good at providing access control on return traffic that is in response to a request that originated behind the firewall - Firewalls are poor at providing access control on "unsolicited" incoming traffic to generic services that are "required" as part of being on the Internet
or even seemingly "solicited" incoming traffic. Tunnels are a fact of life, and they'll just get worse as we move forward. That's why I'd like to see *official* MITM addressed in protocol specifications. If we're to _really_ take a stab at continuing to provide security and assurance levels, we *need* to be able to examine data. The other thing that folks seem to not understand about MITM attacks, especially on VPNs, and the like is that if you break the boundry of encryption by allowing unencrypted access to either endpoint, you're half-way down the path of compromise. Add that to the boneheaded product designers who don't allow keychange intervals without dropping the connection and combine it with weak encryption, and VPNs will start failing not long out the door.
Summary: firewalls originally offered the promise that you could "install a firewall and not worry about your internal security." Now, it's clear that firewalls force
That didn't hold true then, and it holds true less now. You can't never worry about internal security. My current trend is to firewall to provide zones of control (administrative, protocol, business, security, physical), and get a better overall seperation of traffic destined for a network, and traffic transited over a network. Network compartmentalization is a good thing, and locking down all the interchanges on a network is a start, and where firewalling still holds some perception of value to me.
If I'm going to have to worry about the host security and the server side s/w on my internal systems, why shouldn't I just use a router with gross-level filtering to channel traffic into a few carefully configured backend servers? The "hard part" is doing the backend configuration anyhow!!
Because it's helpful to provide lower layer protection to those back-end servers, which will need all the wiz-bang stuff that folks want, and therefore be current rather than stable. Also, it's good to be able to enforce some application level control over traffic. Being able to intercept mail from certain destinations, active components, URLs, do application layer re-direction for diagnostic, re-routing, or policy choices, and a bunch of stuff that gets overly complex at the packet layer, and pretty easy at the application one.
What's worrying me is all the folks I've seen who put a firewall in, and believe it is going to somehow protect the incoming traffic. :( I had a consulting gig where
Or tunneling traffic. Firewalls aren't fire and forget, and there is a vast mis-perception that once you have one, you're safe. You're _safer_ than without, but even beyond the usual 'total security' arguments, people need to understand that firewalls and Internet security are necessarily technical, time consuming, and difficult. If you're not watching all the time, analyzing everything, and constantly up-to-date, controling desktop software versions and configs, blocking most of what 'everyone wants' but can't justify business-wise, and constantly tightening things down, then you're still a *great* target. If you're doing all of that and more, then you're still a target, and you can still miss things, but it gives a much higher level of assurance that you'll catch it before it gets really bad.
I'm not saying that "firewalls are dead" because this problem has always been there and firewalls DO serve a purpose. The fact is that sites with firewalls get broken into less often that sites without. But - are a majority of firewall users falsely confident?
Undoubtably, most firewall Admins are falsely confident, or too ignorant of the issues to maintain a reasonable level of paranoia. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- firewalls and the incoming traffic problem Marcus J. Ranum (Sep 28)
- Re: firewalls and the incoming traffic problem Paul D. Robertson (Sep 28)
- Re: firewalls and the incoming traffic problem Jyri Kaljundi (Sep 29)
- Re: firewalls and the incoming traffic problem Aleph One (Sep 28)
- Re: firewalls and the incoming traffic problem neil d. quiogue (Sep 29)
- Re: firewalls and the incoming traffic problem Aleph One (Sep 30)
- Re: firewalls and the incoming traffic problem neil d. quiogue (Sep 29)
- Re: firewalls and the incoming traffic problem Darren Reed (Sep 28)
- Re: firewalls and the incoming traffic problem Bennett Todd (Sep 29)
- Re: firewalls and the incoming traffic problem Leonard Miyata (Sep 30)
- <Possible follow-ups>
- Re: firewalls and the incoming traffic problem Anton J Aylward (Sep 28)
- Firewall administration. Darren Reed (Sep 29)
- Re: Firewall administration. Bennett Todd (Sep 30)
- Firewall administration. Darren Reed (Sep 29)
(Thread continues...)
- Re: firewalls and the incoming traffic problem Paul D. Robertson (Sep 28)